09-15-2013 03:58 AM - edited 03-11-2019 07:38 PM
I have a cisco 5505 HA pair connected to the 10.1.0.0/16 subnet
The LAN IP is 10.1.1.5 and the standby is 10.1.1.254.
I am looking at the logging and can see traffic going from 10.1.0.0/24 address to OTHER 10.1.0.0/24 adddresses.
If I tick the "Enable traffic between two or more hosts connected to the same interface" and click apply the logs seems to be allowing the traffic. However I have no idea why the traffic should be be TOUCHING the firewall.
Surely the switches in the middle (Cisco 3750 switches) would forward ARP requests and so forth and learn that destination MAC addresses for the devices on the same network (even though it is not aware of L3) will not be out the port that leads to the firewall.
This is the second time I have installed an HA pair at a site and find traffic between devices on the same network hitting the firewall.
Is there some bizarre qwerk where an ASA will reply to ARP requests or something?
I have checked all PCs and they are on the correct subnet with the correct subnet masks.
PLease help. This is driving me insane and goes against eveything I understand about networking
Solved! Go to Solution.
09-15-2013 04:05 AM
Hi,
ASA firewall are by default set to reply to ARP request even if they dont own the IP address. I mean have it on some local interface or even a NAT configuration.
So the only thing that I can think of at the monent is that you have Proxy ARP enabled on the interface of the ASA where you are seeing the traffic
Proxy ARP can be disabled with
sysopt noproxyarp
Here is the Command Reference section on this command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1572088
Hope this helps
- Jouni
09-15-2013 04:05 AM
Hi,
ASA firewall are by default set to reply to ARP request even if they dont own the IP address. I mean have it on some local interface or even a NAT configuration.
So the only thing that I can think of at the monent is that you have Proxy ARP enabled on the interface of the ASA where you are seeing the traffic
Proxy ARP can be disabled with
sysopt noproxyarp
Here is the Command Reference section on this command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1572088
Hope this helps
- Jouni
09-15-2013 11:25 AM
Thank you sooo much. That's done it.
That's certainly a default behaviour I've never seen before. Very strange.
I just got CCNA Security and brought the CCNP Firewall book a couple of weeks ago. Better hurry up and start reading
09-17-2013 01:26 PM
ASA proxy ARP is only triggered for NAT global addresses and VPN client addresses. Check your config which one causes misdirecting your traffic. It is a common mistake to forget no-proxy-arp from identity NAT statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide